Background technology
The fast development of network, has also brought many puzzlements while being convenient for people to life.Along with the continuous expansion of network size, network attack destruction is day by day frequent, and network security situation is also increasingly severe.Although there is at present the protection layer by layer from hardware to software in network, generally only still cannot all kinds of attacks initiated of discovery object of attack accurately and timely by these measures.Particularly under complex network environment, if assailant knows partial information, just easily via forging or obtaining more more important information by the mode that a small amount of information is soundd out.Between many security incidents that behavior is relevant therewith, often there is complicated logical relation, and this kind of abnormal behaviour is not easily discovered by existing protection.Therefore, these events of integrated relational analysis are needed to find and take precautions against the generation of this kind of hazardous act.
Network security association analytical technology based on Complex event processing be by directly from event source (referring to all kinds of safety protection equipment or computer system, all kinds of softwares etc.) Atomic Safety event and carried out the technology of respiratory sensation analysis by the complicated event of its synthesis, this technology can find potential Cyberthreat, thus reaches the object of maintaining network safety.
The research carrying out Network Safety Analysis at present mainly comprises: one is the protection studying separately certain type.Such as intrusion detection, its protection effect of research separately; Two is adopt complicated mathematical method or model, carries out network safe state mining analysis by a large amount of history security incidents.But current research also has the following disadvantages:
comprehensive analysis is not carried out to disparate networks security incident;
all kinds of mathematics mining algorithm or model generally adopt a large amount of historical data, and usually
More complicated causes execution efficiency not high, is unfavorable for the security status that immediate analysis is current.
Before hereafter setting forth, first introduce two concepts:
Atomic event: refer to and can not be broken down into less event, and the Limited information comprised.Atomic event as referred to herein refers in particular to that network safety filed comprises computer system daily record, all kinds of software and disparate networks safety protection equipment produce and event after consolidation form.
Complicated event: refer to by atomic event or complicated event and be defined in the event that the constraint rule in these events forms.Complicated event comprises two parts, <Element, Restraint>.Wherein Element is the component of complicated event, and Restraint is the constraint rule of complicated event.Constraint rule is made up of some operators usually, comprises cap (And), cup (Or), asks inverse (Not) and Sequence Operation Theory (Seq).Essentially, atomic event also can regard the Special complex event not with Restraint constraint rule as.
Summary of the invention
The present invention is exactly to solve the problem, and proposes a kind of network security association analytical method based on Complex event processing, the different event from heterogeneous networks event source is carried out associating analysis.Here security incident itself has been taken into account on the threat impact of whole network and considering of the direct under fire importance such as equipment or software, by multistage rule to same object sequence of maneuvers produce the multi-scale analysis of security incident, the object that every bar risk value of security incident reaches this object of global analysis can be added up.By the consolidation form to network safety event, the present invention can accomplish to carry out association analysis to the isomeric data between the homogeneous data of same event source or different event source.
Complicated event as referred to herein refers in particular to the event in network safety filed, and it mainly comprises four property sets, namely for distinguish event relevant indications set, describe event property set, act on constraint on property set and event risk collection etc.Wherein risk set comprises two elements, i.e. Threat and importance degree two; Threat is the metric of event menace network, and importance degree refers to associated device or the software size value to whole network and office importance.
Correlation rule is the constraints acted in event, and a correlation rule can comprise multistage, and every grade of rule can generate a new event after mating event, and the risk set part of this new events can according to rule assignment.Can judge whether all events causing this new events to generate exist threat by carrying out Cumulative sum calculating to the risk set of new events.
Fig. 1 is the association analysis flow algorithm (only list two-level rule algorithm here, the rest may be inferred for multistage rule) proposed for network security:
The concrete steps of the inventive method are as follows:
Step 1: network safety event is carried out consolidation form conversion by security incident model;
Step 2: the event after format carries out first-order rule coupling.Concrete matching process can be, all kinds of security incidents of input are according to matched rule, the particular community field of this event is filtered, identical or close event carries out being polymerized etc. Event Distillation operation, generate new compound event, and according to rule assignment to the risk set in compound event;
Step 3: according to the risk set in the 2nd step compound event, carries out quadrature computing to two elements and Threat and importance degree two.Alarming threshold value in result of calculation and correlation rule is compared simultaneously, if exceeded the alarming threshold value of correlation rule setting, then directly alarm, reminding user processes network security alarm in time; Otherwise, proceed secondary rule match and calculate;
Step 4: secondary rule match process is similar with one-level rule match;
Step 5: again the risk set in the 4th step compound event is calculated, this quadrature compares with the alarming threshold value in correlation rule after needing to carry out tiring out and calculating with the result of calculation of the 3rd step again, if result of calculation has exceeded alarming threshold value, then generate more emergency level alarm; Otherwise, proceed to first-order rule and again mate.
So far, two-level rule has mated complete.The rest may be inferred for multistage rule.
Mode that the present invention adopts respiratory sensation to mate meets assailant on the one hand and to launch a offensive the logical course of the general multiple step of needs, and another aspect also carries out risk Cumulative sum to multiple event, has considered the complex relationship between event.This will be conducive to the potential threat in Sampling network, accomplish advanced warning, process thus reach the object of protecting network.
Embodiment
Below in conjunction with flow chart, preferred embodiment is elaborated, it is emphasized that following explanation is only exemplary, instead of in order to limit the scope of the invention and apply.
Step 1: consolidation form conversion is carried out to network safety event by security incident model.
Network safety event source category is various, and form is also not quite similar.Before carrying out association analysis, unified format conversion is carried out to all kinds of security incident and can facilitate follow-up calculating.
Here the event model adopted comprises four attributes, i.e. E_Identifier, E_Attribute, Restraint, Risk, wherein, E_Identifier is the relevant indications set being convenient to differentiation event, and E_Identifier={E_N, E_ID, E_Type}, wherein, E_N represents event title, E_ID distinguishes different event and in the general exclusive identification code of the overall situation, E_Type indicates event type, is mainly used in the different event of differentiation from different event source here; E_Attribute describes the association attributes set of event, and E_Attribute={A_1, A_2 ..., A_n}, wherein, A_1, A_2 ..., A_n presentation of events each attribute, between attribute, sequencing does not have particular requirement.Such as Firewall Events, A_1 can represent distance host ip address, and A_2 represents local host ip address, and also can be expressed as A_1 is local host address, and A_2 is remote host address etc.; The constraint rule of Restraint role of delegate on attribute, as above-mentioned complicated event defines, comprises also, hands over, non-and sequence four kinds of computings; Risk is the alarm part of network safety event association analysis, can analytical calculation be carried out according to this field and produce alarm when association analysis calculates, and Risk={threat, obj_imp}, wherein, threat represents the size that this event constitutes a threat to network, and between adopting 0 ~ 10, any number represents, numeral is larger, and the threat of presentation of events to network is larger; Obj_imp represents and to measure by associate device or the software size to whole network and office importance, adopts any number between 0 ~ 10 to represent, this equipment of the larger expression of numerical value or the importance of software to network higher.
Such as Firewall Events can be expressed as:
Event={fw_001,0000000001,fw,src_ip,dest_ip,…}
Wherein, the definition such as above-mentioned security incident name and id Property Name can be named according to certain rule, accomplish to see that name knows meaning as far as possible.In such as fw_001, fw represents Firewall Events, and 001 represents the fire compartment wall being numbered 1.Concerning the direct event from event sources such as fire compartment walls, Rule and Risk attribute is non-existent, can be set to sky.
Step 2: according to the security incident of existing network security rule (these Regularias are similar to the filtering rule of fire compartment wall, but the rule talked about herein rule often used than fire compartment wall is more complicated) coupling step 1, generate new event.Some attribute of new event is by assignment again.
Here suppose that first-order rule is: user logs in A IDNet Inter Departmental Net main frame a with domestic consumer, and within 10 minutes unsocial hours continuous login failure 3 times, the 4th success.Wherein alarming threshold value is according to the setting of real network situation, sets higher, by fewer for the alarm number triggered, on the contrary then more.Therefore, alarming threshold value needs reasonable set.Here supposition is set to 0.5, represents, i.e. TLA=0.5 with TLA (Threshold Level ofAlarm, alarming threshold value).If meet this rule, then the Threat of this event to network security is set as 5, and this main frame a measure of importance is in the entire network set also as 5.
Step 3: calculate event risk value.
By the 2nd step rule match, the Threat of event and the measure of importance value by associate device can be obtained.Here can with this first order calculation rule match value-at-risk:
Value1(Risk)=threat1*obj_imp1/100=5*5/100=0.25<TLA
Wherein, Value1(Risk) presentation of events 1 (i.e. continuous 3 the login failure events of the user) value-at-risk to network; Threat1the size that presentation of events 1 pair of network constitutes a threat to; Obj_imp1represent A IDNet Inter Departmental Net main frame a measure of importance in the entire network.
Can find out by calculating, this value-at-risk is less than the alarming threshold value of rule settings.Therefore, after first-order rule coupling, system is still without the need to alarm.If there is secondary rule, then proceed secondary rule match.If but in order to system safer, can to conduct the locking operations setting to this main frame after continuous several times login failure according to actual conditions.
Step 4: secondary rule match is similar to first-order rule, the rest may be inferred for multistage rule.
Here suppose that secondary rule is: the multiple main frames attempting linking important department B from the main frame a of above-mentioned department A by ping mode, and carry out heap file and copy and transmit operation.
If meet this rule, then the Threat of this event to network security is set as 8, and department B is due to comparatively responsive, and have important function, therefore, the measure of importance in the entire network of the main frame in B department is also set to 8.Wherein, a secondary rule shares an alarming threshold value.
Step 5: again calculate event risk value.
By the 4th step rule match, the Threat of all events of step 4 and the measure of importance value by associate device can be obtained.Here secondary rule value-at-risk can be calculated with this:
Value2(Risk)=threat2*obj_imp2/100+Value1(Risk)=8*8/100+0.25=0.89>TLA
Wherein, Value2(Risk) presentation of events 2 (event 2 is compound events of several event here, and the main frame a comprising department A attempts linking multiple host event of important department B by ping mode and heap file copies and the transmits Action Events) value-at-risk to network; Threat2the size that presentation of events 2 pairs of networks constitute a threat to; Obj_imp2represent the measure of importance of B department main frame and data.
Can be found out by result of calculation, after twice rule match process, accumulative value-at-risk has exceeded the alarming threshold value of setting.Therefore, need to generate alarm event to the sequence of operations of above-mentioned user etc.To remind this sequence of maneuvers, there is larger security risk.Owing to only having two-level rule here, so far, this computational process terminates.